Valve: SQL Injection in report_xml.php through countryFilter[] parameter

2018-07-18T14:16:01
ID H1:383127
Type hackerone
Reporter moskowsky
Modified 2018-07-27T21:29:23

Description

An unvalidated parameter on an partner reporting page (report_xml.php) could be used to read certain SQL data from a single backing database. Blind SQL Injection && Akamai WAF Bypass. Wait for the write-up ;)